Our PROMISE: Our ads will never cover up content.
Our children thank you.
Barbara A. Cleary
Published: Tuesday, January 25, 2011 - 05:00 A young man in PQ Systems' hometown survived a dramatic auto accident last summer in which police-captured video footage of his spectacular, airborne vehicle was broadcast throughout the nation. That was just the beginning of his problems, for during his hospitalization, his medical records were apparently accessed by unauthorized hospital personnel and leaked to those outside the hospital. A recent dramatic case of health-care data breach occurred when gamers who were seeking bandwidth to play a video game accessed a server storing protected information on 230,000 patients at Seacoast Radiology in Rochester, New Hampshire. News reports bring frequent stories about leaks that can cause not only embarrassment, but also legal action or threats to physical well-being. Privacy violations, voiced as Health Insurance Portability and Accountability Act (HIPAA) or Office of Civil Rights (OCR) complaints, represent a serious threat to the maintenance of individuals' privacy in medical care, and seem to be on the rise. Not only a fraud issue, these violations reflect lapses in quality control, because data security represents a process that can be monitored, charted, and analyzed for improvement. With data breaches costing the health care industry nearly $6 billion a year, a survey of 211 senior managers at 65 provider organizations conducted by Ponemon Institute, a research firm focusing on privacy, data protection, and information security policy, indicates that a significant number of these organizations cannot properly secure data. Respondents at 71 percent of the surveyed provider facilities—hospitals, delivery systems, and physician practices—reported inadequate resources, a lack of appropriately trained personnel (52%) and insufficient policies and procedures (69%) to detect or prevent breaches. More troubling, many organizations do not perceive data security to be a priority. Protecting patient information is not a top priority at 70 percent of responding hospitals. Two-thirds of organizations have less than two staff dedicated to data protection management, the Ponemon study indicates. The institute cautions that with a small sample size, it is dangerous to generalize about the industry. Nonetheless, any data breach or privacy violation is troubling. Privacy areas that are most often investigated by the Justice Department (with few criminal prosecutions, despite increasing numbers of complaints) are: Health data security breaches, or medical information accessed inappropriately, affected more than 500 patient records in less than four weeks from Sept. 23 through Oct. 18, 2010, with a total for the year of 181 events affecting 5,017,217 patient records, according to an analysis by HIP/SA (figure 1). For the most part, the breaches are due to data theft. With increasing use of electronic data capture and storage in medical records, security breaches remain a concern. Figure 1: Health data security breaches from Sept. 23–Oct. 18, 2010 The question for the quality professional to consider is how traditional improvement tools and techniques can reduce breaches of health data security. These same tools have helped improve processes and products in manufacturing, education, and service industries around the world. The answer? Data. Collecting data, as the chart above demonstrates, can pinpoint the kinds of breaches that are most common. A Pareto diagram (figure 2) will clearly identify the categories with the greatest impact. Further analysis of data will point to process breakdowns. If one were to analyze thefts, for example, disaggregating the data by time of day, personnel on duty, type of information that is stolen, whether it is electronic or physical access, or other markers, an improvement plan could be developed based on data. Information is derived from data analysis and actions can then be based on accurate information. The lack of physical safeguards continues to be one of the leading actionable complaints in the HIPAA privacy enforcement program. Figure 2: Privacy breaches by type, Sept. 23–Oct. 18, 2010. (Click here for a larger image) Another approach to data analysis might be to look more closely at other entities that have had to take corrective action to get into compliance with HIPAA standards. One might think that health-care management breaches occur in hospitals only, but this is clearly not the case. Potential entities include private medical practices, general hospitals, outpatient facilities, health plans, and pharmacies. A case in Texas, for example, involved six independent pharmacies that filed a law suit against CVS Caremark, charging violations of the HIPAA privacy rule, among other offenses. CVS Caremark is a national pharmacy chain and mail-order pharmacy benefit management firm. A growing sense of privacy breaches has emerged in financial and retail industries as well as in health care, of course. This is not a health care problem per se, but instead represents expanding technology that demands increased scrutiny of data management. This scrutiny depends on understanding the scope of the problem, and this is where information technology and data analysis play key roles. Without understanding what kinds of breaches occur, as well as their frequency and impact, any attempt to bolster data security will be simply a shot in the dark. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Barbara A. Cleary, Ph.D., is a teacher at The Miami Valley School, an independent school in Dayton, Ohio, and has served on the board of education in Centerville, Ohio, for eight years—three years as president. She is corporate vice president of PQ Systems Inc., an international firm specializing in theory, process, and quality management. She holds a masters degree and a doctorate in English from the University of Nebraska. Cleary is author and co-author of five books on inspiring classroom learning in elementary schools using quality tools and techniques (i.e., cause and effect, continuous improvement, fishbone diagram, histogram, Pareto chart, root cause analysis, variation, etc.), and how to think through problems and use data effectively. She is a published poet and a writer of many articles in professional journals and magazines including CalLab, English Journal, Quality Progress, and Quality Digest.Ensuring Medical Data Safety Demands Quality Control
Data breaches cost health care nearly $6 billion annually
• Impermissible uses and disclosures of protected health information (PHI)
• Lack of safeguards of personal health information
• Lack of patient access to their PHI
• Uses or disclosures of more than the minimum necessary PHI
• Complaints to the covered entity
Type of breach
Number of
incidents
Number of individuals affected
Theft
102
3,171,127
Unauthorized access
40
239,078
Loss
36
1,180,172
Improper disposal
12
71,209
Hacking/IT incident
11
93,739
Other
1
344,579
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Barbara A. Cleary
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.